Trump gets cyber diplomacy and workforce advice from agencies

By Chase Gunter, Derek B. Johnson

Jun 01, 2018

Federal agencies with cybersecurity portfolios transmitted reports this week to President Donald Trump required under a 2017 executive order that called for a full-spectrum analysis of cybersecurity threats.

One longstanding issue familiar to government technology watchers is the shortage of skilled personnel to take cybersecurity jobs – particularly in the face of private-sector competition.

A 52-page report from the Departments of Homeland Security and Commerce stresses the challenge the government is facing on the workforce side. Key is the fact that in government, "cybersecurity pay is below the level needed to attract the necessary talent."

To attract and get people in their positions faster, the report urges OPM and federal agencies to expand use of direct hire authorities and compensation incentives. It also suggests federal and state governments and private sector should consider paying off student debt or subsidizing cost of cybersecurity education. The report also recommends using long-term legislative vehicles to authorize and fund sustained efforts to train and hire the needed cybersecurity workforce.

Moreover, it urges government to speed up its security clearance process by hiring more background investigators, using more interim clearances and increasing automation. The department heads also recommend that the executive branch coordinate federal plans tools to assess cybersecurity career aptitude and technical readiness.

Cyber diplomacy

The State Department released two documents on May 31 providing guidance around how best to achieve U.S. objectives for cyberspace in the global arena and on crafting a cyber deterrence framework.

State is calling on policymakers to reestablish norms in the international arena and develop a "menu of options" to impose escalating consequences on bad actors. The department characterizes the U.S. and other democracies as locked in a battle to shape global norms around cyber policy against states who "seek intergovernmental regulation of cyberspace to diminish the role of stakeholders" and exploit Internet wedge issues like censorship and the flow of data.

On the deterrence front, the department recommends the U.S. start from square one by creating a formal policy to outlines consequences for nation states that engage in malicious cyber activity.

Such a policy must be publicly communicated for it to act as an effective deterrent. Representative Ted Yoho (R-Fla.) introduced legislation in April that would outline a formal process for responding to nation-state cyber attacks, and the Trump administration recently delivered its cyber doctrine to Congress, but that report is currently designated as classified.

The State Department report goes on to say that policymakers should develop a range of "swift, costly and transparent consequences" following a cyber attack. However, that is easier said than done, as challenges remain around speedily and accurately attributing cyber attacks to specific nations.

Megan Stifel, former director of international cyber policy on the National Security Council, told FCW in a May 15 interview that while the U.S. is getting better at attribution by pairing technical forensic analysis with more-traditional intelligence sources, it can still take months or even years to arrive at a high-confidence assessment about who was responsible. Even if faster methods are available, it may be risky for the U.S. to telegraph its knowledge that quickly.

"If we can do attribution at mission speed, probably those are not capabilities that we want to disclose publicly," Stifel said.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.